CVE-2020-8552: Kube-apiserver vulnerable to Denial of service(DoS) #2328

Ebaneck · 2020-03-24T07:56:08Z

Component:

'kubernetes'

What happened:

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.
CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

Affected Versions
kube-apiserver v1.17.0 - v1.17.2
kube-apiserver v1.16.0 - v1.16.6
kube-apiserver < v1.15.10

Fixed Versions
v1.17.3
v1.16.7
v1.15.10

Resolution proposal (optional):

Bump the Kube-apiserver version for release and to be released branches.

For branch 2.5 we use kube-apiserver 1.16.2(vulnerable)
For branch 2.4 we use kube-apiserver 1.15.5(vulnerable)

Closes: #2328 Closes: #2327

Ebaneck added topic:security Security-related issues complexity:easy Something that requires less than a day to fix labels Mar 24, 2020

thomasdanan added priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed severity:medium Medium impact (usability) on live deployments labels Mar 27, 2020

This was referenced Apr 3, 2020

kubernetes: Bump kubernetes version to 1.15.11 #2362

Merged

kubernetes: bump k8s version to 1.16.8 #2363

Merged

kubernetes: bump k8s version to 1.17.4 #2364

Merged

Ebaneck self-assigned this Apr 3, 2020

bert-e closed this as completed in 5913c85 Apr 3, 2020

bert-e closed this as completed in #2364 Apr 3, 2020

wabernat pushed a commit that referenced this issue Apr 14, 2020

kubernetes: Bump kubernetes version

72ed15e

Closes: #2328 Closes: #2327

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-8552: Kube-apiserver vulnerable to Denial of service(DoS) #2328

CVE-2020-8552: Kube-apiserver vulnerable to Denial of service(DoS) #2328

Ebaneck commented Mar 24, 2020

CVE-2020-8552: Kube-apiserver vulnerable to Denial of service(DoS) #2328

CVE-2020-8552: Kube-apiserver vulnerable to Denial of service(DoS) #2328

Comments

Ebaneck commented Mar 24, 2020